Something's phishy: How to detect phishing attempts
Posted: June 26, 2017 by Wendy Zamora
Last updated: June 23, 2017
Dear you,
It appears you need to update your information. Click here to tell us all your
secrets.
No really, it's totally safe. We're not going to steal your identity, we
swear.
If only phishing attempts were that obvious.
Instead, these days it's hard to tell a phish apart from a foul, if you catch
my drift. Modern-day phishing campaigns use stealthy techniques to target folks
online and trick them into believing their messages are legit. Yet for all its
sophistication, phishing relies on one of the basest of human foibles: trust.
Detecting a phish, in its various forms, then requires you to hone a healthy
level of skepticism when receiving any kind of digital communication, be it
email, text, or even social media message. In order to understand how we got
here, let's go back to the first instance of phishing.
The Nigerian prince and early phishing
Back in the early days of the Internet, you could marvel at your "You've Got
Mail" message and freely open any email that came your way. You'd get one email
a day, tops, from your new best friend you met in the "grunge 4EVA" chat room.
There was no such thing as junk email. The only promotions you received were
CD copies of AOL in the snail mail. It didn't cross your mind that going online
could bring about danger.
Then came the Nigerian prince.
Unfortunately, where innovation and progress lead, corruption and crime will
inevitably follow. One of the nation's longest-running scams, the Nigerian
prince phish came from a person claiming to be a government official or member
of a royal family who needed help transferring millions of dollars out of
Nigeria. The email was marked as "urgent" or "private," and its sender asked
the recipient to provide a bank account number for safekeeping the funds. Gone
were the innocent days of trusting your inbox.
Over the years, the Nigerian prince scam has fooled millions, raking in
hundreds of billions of dollars. Why has this scam been so successful? Simple.
It uses a time-honored criminal technique-the ole bait and switch-to fool folks
into believing that they are being contacted by a legitimate organization with
a legitimate concern. Threat actors use this social engineering method to
trick unwilling participants into clicking on malicious links and handing over
personal information. The end goal, as with most cybercrime, is financial gain.
Phishing attacks aim to collect personal data-including login credentials,
credit card numbers, social security numbers, and bank account numbers-for
fraudulent purposes. The attack is most commonly delivered as an email
communication that spoofs a known enterprise, such as a bank or online shopping
site, but it can also appear to come from an individual of authority or of
personal acquaintance. These emails always contain a link that sends users to a
decent facsimile of a valid website where credentials will be collected and
sent to the attacker, instead of the supposedly trusted source. From there, the
attacker can exploit credentials to commit crimes such as identity theft,
draining bank accounts, or selling personal information on the black market.
"Truth be told, phishing is the simplest kind of cyberattack and, at the same
time, the most dangerous and effective," says Adam Kujawa, Director of Malware
Intelligence. "That is because it attacks the most vulnerable and powerful
computer on the planet: the human mind."
The evolution of phishing
While the Nigerian prince attack vector remains in use today, most savvy
Internet users can now spot this scam a mile away (hence the multitude of memes
that have popped up over the years). The campaign has lost its edge and fooled
way fewer users. Plus, email technology has progressed so that spam filters
readily pick up on this phish and block it. And this is why cybercriminals have
had to advance their tactics.
fry phishing
"Phishers had no other choice but to evolve and improve on where they fell
short," says Jovi Umawing, Malware Intelligence Analyst at Malwarebytes.
"Nowadays, most sophisticated modern-day phishing emails are so polished and
well-designed that one cannot easily differentiate them from legitimate ones."
Case in point: Recent phishing campaigns have had great success impersonating
big-name companies and fooling big-name recipients. In May 2017, a phishing
email targeted one million Gmail users by purporting to be from a contact
sharing Google Docs. In Minnesota alone, state employees were scammed out of
$90,000 due to the Google Docs fiasco. Hillary Clinton's campaign manager for
the 2016 presidential election, John Podesta, famously had his Gmail hacked and
subsequently leaked after falling for the oldest trick in the book-a phishing
attack claiming that his email password had been compromised (so click here to
change it).
So how can we learn from these lessons? Let's start by identifying the
different types of phishing in use today.
Types of phishing
The most basic and commonly seen type of attack, of course, is the phishing
email. Phishing emails are sent to a group of users who are unique enough to be
used as bait but broad enough to ensnare a large number of people. The point
is to cast as large a net as possible. In contrast, other forms of attack are
much more targeted.
Spear phishing, as might be gathered from its title, usually targets a specific
person or organization. Since these types of attacks are so pointed, phishers
scour the Internet for available information about their target in order to
craft a believable email to extort information (if not money) from victims.
Whaling is a form of spear phishing directed at executives or other
high-profile targets within a business, government, or other organization, such
as a CEO, senator, or someone who has access to financial assets. CFO fraud is
an example of whaling.
Smishing, short for SMS phishing, is carried out via SMS text messaging on
mobile devices. A similar technique, vishing, is voice phishing conducted over
the phone.
Pharming, also known as DNS-based phishing, is a type of phishing that involves
the modification or tampering of a system's host files or domain name system
to redirect requests for URLs to a fake site. As a result, users have no idea
that the website they are entering their personal details into is fake.
Content-injection phishing is when phishers insert malicious code or misleading
content into legitimate websites that instructs users to enter their
credentials or personal information. This type of phishing is a form of content
spoofing.
Man-in-the-middle phishing happens when phishers position themselves between
people and the websites they use, such as a social networking sites or online
banks, to extract information as it's being entered. This type of phishing is
more difficult to detect because attackers continue to pass on users'
information (after collecting it) so as not to disrupt any transactions.
And finally, search engine phishing starts off when phishers create malicious
websites with attractive offers, and search engines index them. People then
stumble upon such sites doing their own online searches and, thinking the sites
are legit, unknowingly give up their personal information.
There truly are a lot of phish in the sea.
So, if your head isn't completely swimming in fish puns, it's time to talk
about how to train your eye and your gut to sniff out the various forms of
phishing attacks. I asked Labs researchers to tell me their top indications
that an email, text, or other form of communication is a phish and compiled a
list of their, and my, recommendations.
Something's phishy if:
The email, text, or voicemail is requesting that you update/fill in
personal information. This is especially dubious if it's coming from a bank or
the IRS. Treat any communication asking for your credentials with extra
caution.
The URL shown on the email and the URL that displays when you hover over
the link are different from one another.
The "From" address is an imitation of a legitimate address, especially from
a business.
The formatting and design are different from what you usually receive from
an organization. Maybe the logo looks pixelated or the buttons are different
colors. Or possibly there are weird paragraph breaks or extra spaces between
words. If the email appears sloppy, start making the squinty "this looks
suspect" face.
The content is badly written. Sure, there are plenty of wannabe writers
working for legitimate organizations, but this email might seem particularly
amateur. Are there obvious grammar errors? Is there awkward sentence structure,
like perhaps it was written by a computer program or someone whose second
language is English? Take a closer look.
Speaking of content, a phishing email almost always sounds desperate.
"Whether they're claiming that your account with be closed, an urgent request
is needed, or your account has been compromised, think twice before
double-clicking that link or downloading that attachment," says Umawing.
The email contains attachments from unknown sources that you were not
expecting. Don't open them, plain and simple. They might contain malware that
could infect your system.
The website is not secure. If you do go ahead and click on the link of an
email to fill out personal information, be sure you see the "https"
abbreviation as well as the lock symbol at the beginning of the URL. If not,
that means any data you submit is vulnerable to cybercriminals. (If the link is
malicious, Malwarebytes will block the site.)
If you suspect or can verify that you've been phished, it's best to report the
attempt directly to the person or organization being spoofed. You can also
contact the Federal Trade Commission (FTC) to lodge a complaint. Once
completed, delete the email, then empty your trash. (Same goes for texts.)
Now the next time someone attempts to scam you with fraudulent emails, you
won't have to wonder if the message is for real. You'll scope out a phish hook,
line, and sinker.
[My note:] The grammar is a dead giveaway, too.
Regards,
Roger
--- PQUSA
* Origin: NCS BBS - Houma, LoUiSiAna (1:3828/7)
|
Gossip and chit-chat echo 
